At least as safe as manned shipping? Autonomous shipping, safety and “human error”

(1)

Safety and Reliability – Safe Societies in a Changing World – Haugen et al. (Eds)

At least as safe as manned shipping? Autonomous shipping, safety and “human error”

T. Porathe & Å. Hoem

Norwegian University of Science and Technology, Trondheim, Norway

Ø. Rødseth & K. Fjørtoft

SINTEF Ocean, Trondheim, Norway

S.O. Johnsen

SINTEF Technology and Society, Trondheim, Norway

ABSTRACT: A paradigm shift is presently underway in the shipping industry promising safer, greener and more efficient ship traffic with unmanned, autonomous vessels. In this article, we will look at some of these promises. The expression “autonomous” and “unmanned” are often used interchangeably. We will therefore start out by suggesting a taxonomy of automation and manning of these ships. We will then go on examining the promise of safety. An hypotheses of increased safety is often brought forward and we know from various studies that the number of maritime accidents that involves what is called “human error” ranges from some 70–90 percent. If we replace the human with automation, can we then reduce the number of accidents? And is there a potential for new types of accidents to appear? Risk assessment will be a valuable tool, but will only reach as long as to the “known unknowns”.

few minutes and the autonomous Yara shuttle was to pass in the other direction soon after. The tanker was already approaching from the far side of the bridge sounding her horn to let the kayaker know she was approaching the 200 meters wide strait, something that probably did not make the situation better for the child in the kayak, the VTS operator thought. From the other side the autonomous shuttle was visible inbound on a westerly course with her 6 knots. He expected her to slow down any minute as her sensors detected the kayak in the sound.

Suddenly two water scooters appeared from no- where, criss-crossing over the strait and around the kayak at some thirty or forty knots. The VTS operator could hear the roar from their engines all the way into the VTS tower. The surplus water shot up like a fountain from the back of the scooters and their wakes brought the water into turmoil around the kayak. In his binoculars, the VTS operator saw the child in the kayak letting go of his paddle and waving his arms to signal the scooters. Suddenly the kayak flipped over and the boy disappeared into the water. The scooters shot off towards the far side and the operator could see the head of the boy reappear on the surface beside the overturned kayak. He was right in the way of the tanker. The operator quickly grabbed the VHF receiver and called the tanker.

1 INTRODUCTION

The shipping industry are about to enter a new epoch. The story started in the 1800 when mecha- nized power was introduced and the vessels moved from propulsion by sail to propulsion by steam.

The next stage came in the early 1900’s when the diesel engine enabled more efficient and reliable ship services, analogous to the introduction of mass production on shore. In the 1970’s the com- puterized control of ships was introduced. Now we are about to go a step further where cyber physical systems and autonomy, as part of “Shipping 4.0”

(Rødseth 2017), will form a new gravity.

1.1 The first autonomous ship accident

We will start this article by a fictive illustration: It was an unusually warm to be in the end of October.

The water in the strait was completely calm and mir- rored the sky and the setting afternoon sun. In the Vessel Traffic Service (VTS) tower under the bridge the operator followed a lone kayak with his binoculars. It seemed like the kayaker was a child and not very proficient in his or her paddling and the kayak only slowly worked its way across the sound. The timing for crossing was not the best, the operator thought. He had an outbound oil tanker due in a

(2)

“Tarnfjord, Tarnfjord this is Brevik VTS on channel 16. Have you seen the overturned kayak ahead of you?”

“Brevik VTS, this is Tarnfjord. Rodger that. We are slowing down and holding to port. We should manage to avoid the kayak. But we cannot reverse.

And we will have close call with Yara.”

“OK, Tarnfjord, thank you for that,” the VTS operator replied, and continued immediately to call the shuttle, “Yara remote control, Yara remote control, are you following what is happening in the Brevik strait?”

He turned and looked at the shuttle and could see that she had not slowed down as he had expected.

Both of the ships were now only a few hundred meters from the overturned kayak under the bridge.

“Yara remote control, Yara remote control, this is Brevik VTS on channel 16. Please respond Yara.”

He took up his binoculars and saw that the tanker was slowly turning. The shuttle was now only some 100 meters from the overturned kayak and the turning tanker and still showed no sign of slowing down.

The radio crackled. “Brevik VTS, this is Yara.

Did you call me? I had a coffee break.”

“Thank, you, Yara,” the operator quickly replied. “Stop immediately; can’t you see the kayak in front of you?”

“No, the sun is completely blinding both my cameras and on the radar I only see the bridge” the remote operator answered, and then he shouted

“What the hell is the tanker doing!”

We will not know how this incident ended as it is pure fiction and the Yara shuttle will not start to traffic the Brevik strait in southern Norway until 2021 (she will be manned in 2019, remote controlled in 2020, before attempting to go autonomous 2021). Nevertheless, the situation could be plausi- ble. Kayaks, scooters and other leisure crafts will be close companions to autonomous ships in Scan- dinavian waters summertime. Cameras and radars can be deceive, as was shown in the Tesla car accident in 2017 (Lambert 2017; NTSB 2017). Bridges may obscure radar detection of objects underneath.

Objects coming and leaving like the two scooters may confuse the artificial intelligence of collision avoidance systems, and LIDAR (Light Imaging, Detection, And Ranging) is only useful at close range, closer than the stopping distance. Finally, the human backup may have gone for a cup of coffee.

The fictional incident above is, maybe unfairly, attributed to the planned autonomous Yara- Birkeland container feeder (Kongsberg Maritime 2017). This unmanned, autonomous vessel, taking 120 containers on a fully electric propulsion system, will replace some 20 000 trucks taking the same amount of containers on the road today.

There is an economic as well as environmental

gain to be made. Doing this autonomously and unmanned will be a challenge. So let us start by looking at that.

1.2 Ambiguity in definitions

The concepts of unmanned and autonomous when used on ships are ambiguous. The ship bridge may be unmanned, perhaps in periods, but crew may still be on board, ready to take control when needed. A ship can also be remotely controlled from a shore station via highly redun- dant and high capacity communication links. Is this ship unmanned or autonomous? A dynamic positioning (DP) system on a ship will automatically control the position and perhaps the heading of the ship, but most DP systems will rely on an operator to handle any errors, e.g. in sensors, that occur during the operation. Is the DP automatic or autonomous?

Furthermore, to what ship functions do unmanned or autonomous apply? In (Rødseth &

Tjora 2017), eight main functional groups are identified, including, e.g. navigation, engine control, cargo monitoring and onboard safety functions. In the following text, we will refer to typical bridge functions, but in a truly autonomous ship, all shipboard functions must be automated to some degree and the degree of autonomy may be different for each function.

Finally, the degree of autonomy will be different during the ship’s voyage. Tighter supervision and perhaps continuous remote control will be necessary during berthing while a high degree of autonomy is normally desired during the deep-sea passage.

This ambiguity is reflected in many existing definitions of “autonomy levels”. In (Vagia et al. 2016), 12 different “levels of autonomy” are examined and even more have become available as autonomy levels have been extended to ships (Rødseth

& Nordahl 2017). One reason for the numerous definitions is that autonomy must be defined along several axes and with a strong focus on the operational profile at hand. The idea of autonomy is very context dependent.

1.3 Three axes of autonomy

For ships, we propose to characterize autonomy along three axes (Rødseth & Nordahl 2017).

One axis is the complexity of the intended operation. Is the ship operating in sheltered or open seas, what are the likely weather or visibility impacts, how much other traffic is there, how complex is the sailing routes in terms of shallows, turns and obstacles, and so on. We propose to capture the complexity in the operational design domain (ODD) as explained in the next section.

(3)

The second axis is the manning level. The ship can have a continuously manned bridge, but still have a high degree of autonomy in automated object detection and collision avoidance. One can foresee ships with enough autonomy to allow the crew to go to bed at night, when sailing in open waters and fair weather. Ships can also be remotely controlled, with hardly any “real” autonomy at all. On the other end of the axis, one may see ships with no crew and no remote monitoring at all: they are fully autonomous. The manning level is dealt with in Table 1.

The third axis is the operational autonomy, how the necessary operations to satisfy require- ments of the ODD are divided between human and machines. We propose to capture this aspect by diving the Dynamic Navigation Tasks (DNT) into two parts: One part that requires human intervention to be executed (Operator Exclusive DNT) and one that can be handled by the automation systems (Control System DNT).

1.4 A proposed taxonomy

To simplify the definition of autonomous and unmanned, we will start with a concept borrowed from the US car industry and its definition of ter- minology for autonomous cars (SAE 2016). This is called the “Operational Design Domain” (ODD) which is the operational conditions that limits when and where a specific autonomous car can be used.

The corresponding capabilities of the car and its control systems is the “Dynamic Driving Task”

(DDT). The concept also includes the “DDT Fall- back” which is procedures and safety guards that are built into the vehicle and control systems for handling situations when the ODD is exceeded. The DDT Fallback will bring the system to a “minimal risk condition” (SAE 2016). For a ship, we suggest renaming DDT to the “Dynamic Navigation Task”

(DNT).

Most autonomous or unmanned ships are expected to have a “backup” operator somewhere on board or on shore, so that situations that cannot be handled by automatic functions can be safely handed over to the operator. This can be illustrated by dividing the DNT into two regions:

Table 1. List of autonomous ship operation types.

Continuously manned

bridge Unmanned bridge, crew

on board Unmanned bridge, no crew

on board Operator controlled Direct control Remote control Remote control

Automatic Automatic control Automatic control Automatic control

Partly autonomous Partly autonomous Partly autonomous Partly autonomous

Constrained autonomy Constrained autonomy Constrained autonomy

Full autonomy Full autonomy

The “Operator Exclusive DNT” where the operator is needed to resolve problems that the automation cannot handle and the “Control System DNT” which represents the unassisted capabilities of the automatic systems. The complete concept is illustrated in Figure 1.

A proposed set of definitions for autonomous merchant ships (Rødseth, Nordahl 2017) indicates that four distinct levels of autonomy may be needed and are probably sufficient. These levels are defined independently of the human operator being located on board the ship or in a remote location:

1. Operator controlled (AL0-1): The DNT is fully handled by the operator. Systems may provide decision support or very limited automatic control, e.g. as in an auto pilot or track pilot. This is the current situation on today’s ships.

2. Automatic (AL2): The ship systems can operate without human intervention for a very specific function, typically as a DP system works today.

An operator is required to handle all deviations from expected operational parameters.

This autonomy level is probably appropriate for automatic berthing or other situations where very accurate control is needed and where less deterministic and autonomous problem handling is unwanted.

3. Partly autonomous (AL3): The ship can perform certain tasks in the DNT autonomously, e.g.

transiting open sea in fair weather. This can, e.g.

be used to have a periodically unmanned bridge.

4. Constrained autonomous (AL 4): The ship can operate autonomously within most or all of the Figure 1. The operational design domain and dynamic navigation task.

(4)

DNT, but it has clear limits to what actions it can take by itself, e.g. maximum speed and track deviations. If the ship needs to exceed these limits, e.g. due to anti-collision manoeuvres, the operator has to be called to change limits or to remotely control it until constrained operations can resume.

5. Fully autonomous: The ship systems can per- form all its DNT tasks without human intervention. There are no operational limits beyond those defined by the OOD.

Constrained autonomy is the most likely type of autonomy for fully unmanned ships with shore supervision. It enables the ship to solve all “stand- ard” problems by itself while reducing system complexity by having an operator available for the more complex situations. It also gives a high degree of operational determinism due to the operational envelope it cannot exceed without human acceptance. Fully autonomous is the necessary level for autonomous ships that have no remote supervisor.

This will in many cases require very complex control systems and is not very likely level for ships in the near future.

The levels can be characterized by having different ratios between the operator exclusive DNT (black) and the control system DNT (grey), as illustrated in Figure 2. One may validly argue that the levels between automatic and constrained autonomy should be the same class as they both have operator and control system DNTs. However, it is useful to differentiate between them since they are likely to be used in different context during the voyage.

Dependent on autonomy level and the operator being available on the ship or on shore, one can de-fine the matrix in Table 1. The shaded cells represent operations where one will require a manned shore control center to handle deviations from operator DNT fast enough. The empty cells

represent types that are not very relevant, although possible.

The level of autonomy will vary over the ship’s different functions such as engine control, cargo monitoring and navigation functions. It will also vary during the ship’s voyage. This may be result of, e.g. using an unmanned bridge during night and open sea passage or by having different modes in different phases of the voyage, e.g. using remote control during port approach and automatic control during berthing.

2 AUTOMATION

Going back to the concept of ODD and DNT, one may argue that most incidents occurring with automated systems may be of the following types:

1. Errors in control system DNT (CS-DNT):

These are purely technical errors that occur in the automation systems and associated sensors.

It may be caused by technical system malfunc- tions or by design errors in system designs or configurations.

2. Errors in operator exclusive DNT (OE-DNT):

These are human operational errors that may have been caused by, e.g. fatigue or low situation awareness which, in turn, may have been caused by bad technical systems. However, the incident is directly attributed to a human operational error.

3. Transition from CS-DNT to OE-DNT: This is a critical issue as the transition both has a timing aspect and must be fast enough and a situation awareness aspect as the human must under- stand the background for the transition to make the correct decisions.

4. Operator intervention in CS-DNT: There are also examples of incidents that have been caused by operators intervening in automated processes when they should have left the automation system alone.

5. Transition from OE-DNT to CS-DNT: This is probably a less common type, but it may be challenging to make sure that the automatic control system is activated at the right time and with the right parameters settings.

6. Transition to DNT Fallback: When to activate the DNT Fallback is also a critical issue. The DNT Fallback is not necessarily a “fail to safe”

control as ships do not have a generally safe state. It is a “minimal risk condition” (SAE 2016). Thus, there is an inherent risk in going from OE-DNT or CS-DNT to DNT Fallback and it is a challenge to define the proper conditions for doing so, particularly when a human is in the control loop.

Figure 2. Five levels of autonomy.

(5)

While this classification seems most relevant for autonomous ships, it is also applicable to manned ships with automation or decision support compo- nents. In particular, the transitions between automatic and human control in current automated systems will be a good indication of how this problem will develop when more autonomy is added in the system.

In the following, we will discuss known benefits and shortcomings of today’s manned operation with automation and see how that can be applied to autonomous ships.

3 SAFETY, HUMANS AND AUTOMATION If autonomous unmanned ships are to become a success they have to prove successful in several areas, and safety is one of them. Thus, the first thing we might ask is how safe is then manned shipping?

3.1 At least as safe as manned shipping

In a study by Oxford University on British data from 1976 to 1995, the seafaring job is ranked as the second most dangerous occupation in Britain—

after being a fisher (Roberts 2002). This is however not usually because ships are sinking, but because of occupational hazards like slips, trips, and falls on a moving platform full of heavy gear and a hazardous environment. In this sense, we might conclude that already removing humans from this hazardous environment has a safety benefit.

However, if we by safety think of the safety of the ship we can say that shipping is very safe and is becoming even safer every year. Just to provide a background we can note that in the three years between 1833 and 1835, on average 563 ships per year were reported wrecked or lost in United Kingdom alone (Crosbie 2006). Today the total number of tankers, bulk carriers, containerships and multi- purpose ships (over 100 Gross Tons) in the world fleet has risen from about 12,000 in 1996 to some 33,000 in 2016 (Clarkson 2017). During the same time, the number of ships totally lost per year (ships over 500 Gross Tons) declined from 225 in the year 1980, to 150 in 1996 and 33 in 2016 (total losses as reported in Lloyds List – IUMI 2016) – and this worldwide.

If we look at ship accidents broken down into different causes, we can see that between 2012 and 2016 50% of ships totally lost did this because of weather. Some 20% grounded, 10% was lost because of fire or explosion, 5% by collision, and 10% by machine failure. (Total Losses, all vessel types over 500 Gross Tons – IUMI 2017)

As we can note from the above, there is no men- tioning of any losses due to “human error”. This

is because the statistics often chose a single, simple cause of the accident, but if we drill down looking for a root cause we often find “human error”

on one level or another in almost all cases. Dhillon (2007) compiled the following statistics:

A study of 6091 major accident claims associated with all classes of commercial ships, revealed that 62% of the claims were attributable to “human error”.

“Human error” contributes to 84–88% of tanker accidents.

“Human error” contributes to 79% of towing vessel groundings.

Over 80% of marine accidents are caused or influenced by human and organization factors.

“Human error” contributes to 89–96% of ship collisions.

A Dutch study of 100 marine casualties found that “human error” contributed to 96 of the 100 accidents. (For detailed references see Dhillon 2007, p. 2)

Let us illustrate how “human error” can be a part of almost all accidents. Let us briefly look at the recent collision accident between the general cargo ship Daroja and the oil bunker barge Erin Wood that took place in Scottish waters in 2015 (MAIB 2016). In August 2015 the two vessels col- lided off the east coast of Scotland. It was a nice summer afternoon with light wind and no sea state.

The two vessels were both north bound but with crossing courses which brought them closer and closer together for almost two hours without any one of the two bridge officers apparently noticing the other ship until too late. Visibility was excel- lent, radar and AIS tracking was available on both bridges. The UK Maritime Accident Investigation Board concluded that “Daroja and Erin Wood col- lided because a proper lookout was not being kept on either vessel.” (MAIB 2016, p. 40) This accident would appear in the aforementioned statistics as a “collision”, but the underlying root cause was

“improper lookout”, which would classify it as

“human error”.

A variety of taxonomies for “human error” has been proposed. One example is the simple dichot- omy between “errors of omission” and “errors of commission” (Wickens et al., 2013). “Errors of omission” mean: not doing anything when something should have been done, as the watch keepers above. “Error of commission”, on the other hand, means: doing the wrong thing.

A more elaborated taxonomy developed by Norman (1988) and Reason (1990) involves “mistakes,” “slips” and “lapses.”

“Mistakes,” are when the operator has not fully understood the situation and acts intentionally.

“Slips,” on the other hand, are when the intention is right but the action is carried out wrong.

(6)

Maybe the wrong button is pressed although the intention was to press the right one. Because humans monitor their own actions, slips are often noticed and corrected before any harm has been done.

“Lapses,” finally, are a failure of making any action at all, i.e. an error of omission. Often they are lapses of memory, forgetfulness. Humans forget, we become distracted or think about other things.

This is all part of the human condition. Maybe the two watch keepers in the accident above was think- ing about other things and forgot to monitor their systems and look out of the window? “Lapses” are sometimes easy to prevent by technical solutions like automation.

One may ask how come there was no warning issued to make the two watch officers aware of the pending danger. Radar systems on both ships as well as the AIS tracks in the electronic chart systems could theoretically extrapolate the courses of the vessels to a collision point. In addition, systems on land that gather AIS data could have made the same calculation. Why is it that available data is not used to the benefit of safety when possible? Why was there no warning and why did not the systems automatically make a small course or speed change to stay out of the close quarter situation? It is because automation is a controversial issue. Warnings are often turned off by operators, because of many false alarms.

3.2 Why automation can make ships safer A large part of the robustness of the shipping industry demonstrated by the constant decline in shipping accidents has to do with automation. The error prone and difficult position fixing, previously done by manual methods like dead reckoning, or sun heights and bearings to landmarks, when sun, stars and land was in sight, has now been replaced by satellite based navigation systems with very high reliability. Manual steering which in old days caused large course errors has been replaced by auto pilots or even track pilots which can follow a pre-programmed path with an accuracy of a few meters- or even centimetres when augmentation systems are used. Just to mention a few areas of marine automation.

The reason automation is safer is that they address human shortcomings like:

Fatigue: Humans are day animals. We are designed to be active by day and sleep by night.

Our whole cognitive system is designed for work by day. Even if augmented by technical means, our decision making is crippled during night, even if we are accustomed to shift work by night. A larger degree of accidents happen during night. (e.g.

Wagstaff & Sigstad Lie 2011)

Attention span: The ability to focus and sustain attention on a task is crucial for the achievement of one’s goals. Although attention span is a complex concept and measures depend on a lot of different thing, most researchers agree that the time span humans need to concentrate to handle tasks without being distracted is limited, e.g. 10–20 minutes in healthy teenagers and adults (Wilson &

Korn 2017).

Information overload: Overload can be of many kinds. Too much to do, and too little time to do it. Too much information that needs to be con- sidered presented in an unintegrated way at the same time. It boils down to limits of the human working memory. Miller in 1956 famously stated that humans at the most could handle 5–9 information chunks at one time. But, underload can also be a problem. During a conference in 2014 a British maritime accident investigator mentioned a new type of boredom-induced accidents. Evidence of the so-called Yerkes-Dodson law (first proved on mice in 1908) show that human performance describes an inverted U-shaped curve when plot- ted against arousal (or stress) so as low arousal also may lead to low performance and elevated arousal lead to higher performance to a certain point when performance declines with higher stress (cognitive tunnelling).

Normality bias: This is a form of denial 70%

humans revert to when facing events of disaster, as a result of which they underestimate the possibility of the disaster actually happening and its potential results (Omer & Alon 1994).

We could go on stating human shortcomings in this way for many pages, however we think the point is made: automation can make ships safer.

3.3 Why automation can make ships less safe In the everlasting strive to make life easier, humans have automated tasks that are tedious, dangerous, dirty, boring, etc. However, a paradox in automation is that it has often been the easi- est tasks that has been possible to automate. In complex and ambiguous situation, the human has had to step in to resolve the ambiguity and finish the task.

Automation needs to be programmed and can therefore only solve simple or complicated prob- lems. By “complicated”, we here mean that there is a finite solution space that can be parsed by computers. In reality, many real world problems are complex in the sense that they have an infinite solution space due to many unknown factors and interrelationships. For such problems, it is not even theoretically possible to program to solve all possible situations (possibly leaving machine or deep learning aside).

(7)

The dynamic maritime environment with sea and current, weather, topography, manned and autonomous ships is such a complex environment and will for a very long time need a human to step in and resolve problems out of the range of automation. As we have seen above, there is relatively good statistics on “human error”, however there are almost no statistics on “human recoveries”, where humans has stepped in and saved a situation caused by e.g. technical malfunction.

An illustration of such a recovery can be fetched from an incident in1991.

In this incident a product tanker loaded with 20 000 metric tons of gasoil was under way through the narrows of a winding Scandinavian archipelago. In a bend in the fairway she had a routine meeting with one of the large ferries traf- ficking the area. The ferry had almost 1000 passengers and crew onboard. As the tanker applied starboard rudder to negotiate the bend in the fairway, the captain noticed that the rudder instead turned to port and a port turn was commenced a few hundred meters in front of the oncoming ferry.

The captain immediately reversed the engine, but realizing that he would not be able to prevent the turn, he called the ferry on the VHF saying they had a breakdown on the steering engine and asked for “green-to-green” (starboard side to starboard side) meeting. The ferry responded promptly, but by making a starboard 360 degree turn and the ships passed each other on parallel courses with 20–30 meter between. The accident investigation board calculated that if the action from the ferry had been delayed 30–60 seconds a collision with the ferry running into the amidships section of the tanker in a right angle would have been impossible to avoid (SHK 1992). The consequences can only be imagined.

The accident investigation concludes that it was the decisive actions by the captains of the two ships that avoided a possible catastrophe. One may wonder what would have happened if one or both of the ships had been autonomous. Remember also the pilot of the airliner that landed on Hudson River in 2009, and who, by acting against proto- col and procedures, miraculously saved the lives of passengers onboard (NTSB 2010).So, on one hand we have incidents due to human error that can be avoided with automation, on the other hand we have incidents that is now avoided with humans, but will happen when no humans are onboard.

But new technology also opens for new types of accidents.

These relationships are described in Figure 3.

Automation of human processes (middle cir- cle, Figure 3) are expected to significantly reduce the number of incidents happening in shipping today, but one must also assume that a number of

potential incidents are averted by the crew’s actions and it is not clear if improved automation can match these numbers. Finally, one must also assume that some new types of incidents will occur as a result of the introduction of new technology (far left). The net result is the remaining grey areas and the question is if this will be low enough for societal acceptance of the new ship types.

Thus, while the assumption is that the net result of automation will be lesser accidents and incidents, this remains to be shown. Within commercial air industry, automation has improved safety, (e.g. Billings 1997; Pritchett 2009; Wiener 1988). Can we assume that the same is true for the shipping domain? One way of dealing with this is through risk analysis.

3.4 Risk analysis

Risk analysis can be “broadly defined to include risk assessment, risk characterization, risk communication, risk management, and policy relating to risk, and risks of concern to individuals, to pub- lic- and private-sector organizations, and to society at a local, regional, national, or global level” (SRA 2012). In this paper’s context, we look at risk analysis as risk assessment where risk is defined as the combination of the frequency and the severity of the outcome of an accident (IMO 2002).

The expected frequency of accidents must often be derived from an assumed accident probability, as statistical significant data on frequencies are impossible to find. Obviously, this particularly applies to new technology or ship types as in autonomous ships. The probabilities are difficult to determine in themselves and, in addition, the strength of knowledge used to establish the probabilities need to be addressed. In autonomous systems the strength of knowledge is generally low due to lack of experience and the complexity of the autonomous marine system.

The prevalent strategy to the increased (socio- technical) complexity, lack of coherence, and speed of change in contemporary systems, science and Figure 3. Remaining incidents in the autonomous ship after automating human processes.

(8)

the discipline of risk management, is to incorporate uncertainty, ambiguity, and the knowledge dimen- sion per se in the risk measure (Paltrinieri et al.

2016). This is done through risk analysis of potential accident scenarios that we eventually are aware off and can manage. This is emergent research and there is not much hard knowledge in the area, although some papers have been published, e.g.

(Utne et al. 2017) and (Rødseth & Tjora 2014).

The second paper is mainly a preliminary haz- ard identification (HazId) study based on use cases and ship function breakdowns. It suggests a frame- work for doing HazId in the unknown environment of the autonomous ship based on assumptions on what can happen and how this influences on the different functions the ship systems have to provide. The first paper argues for a more holistic approach to risk management, including dynamic risk assessments during the autonomous voyage.

This paper will not go further into this area, but it is important to point out that determining the complete risk level for the autonomous ship will be very challenging. As was illustrated in Figure 3, there are more new issues that have to be taken into consideration and for at least two of these we do not have any statistics that can be used in estimates of probabilities. Although, e.g. HazId may be able to identify the hazards and accident consequences, we are still left with very uncertain probabilities and the limitation to the known knowns and known unknowns.

Within safety science, the concept of “human error” are seldom used after 1990’s since it has been seen that “human error” is not a cause but a result of other factors such as poor design, poor plan- ning, poor procedures, etc. (Dekker 2006). Instead the concept of “human variabity” from Resilience Theory is often used (Hollnagel, Woods & Leveson 2006). Human variability that sometimes might lead to “human errors” but maybe more often to

“miraculous recovery”. Positive actions and successful recoveries are usually not recorded, as mentioned in Leveson (1995, p. 94); where an U.S. Air Force study showed 659 crew recoveries in 681 in- flight emergencies; with only 10 pilot errors.

4 CONCLUSION

It seems to be generally accepted that automation has the potential to decrease accidents that are due to human variability.

However, automation has the potential of cre- ating accidents in itself, e.g. through transitions between automatic and manual control and the human having to rapidly assess the situation and make the right decisions.

Automation also sometimes creates problems by reducing the work load of the human, inducing boredom and by that further increasing the time needed to do a correct assessment.

With constrained autonomy being the most likely form of ship autonomy, one needs to inves- tigate if these issues actually can increase the probability of some accident types compared to conventional manned ships.

Also, autonomy will create new types of accidents, as suggested by the illustration in the begin- ning of the paper This is partly due to accidents that was before averted by the human crew and partly due to introduction of new technology and corresponding new accident types. These types of accidents are very challenging to include in the risk analysis as we lack statistical evidence for their probability.

To address the new risk picture, one probably need new types and extensive use of human cen- tred risk analysis. Also, one needs to consider the development and use of dynamic risk assessment systems during autonomous voyages, as well as other real time tools that can be used on the ship or in the shore control centre.

ACKNOWLEDGEMENT

This work is supported by the SAREPTA (Safety, autonomy, remote control and operations of industrial transport systems) project, which is financed by Norwegian Research Council with Grant No. 267860.

REFERENCES

Bilings, C.E. 1997. Aviation automation: the search for a human-centered approach. Mahwah, N.J.: Lawrence Erlbaum Associates Publishers.

Crosbie, J.W. 2006. Lookout Versus Lights: Some Side- lights on the Dark History of Navigation Lights. The Journal of Navigation, 59, 1–7.

Dekker, S. 2009. The field guide to human error. Bedford, UK: CRC Press.

Dhillon, B.S. 2007. Human Reliability and Error in Trans- portation Systems. London: Springer.

Hollnagel, E., Woods, D.D. & Leveson, N.C. (eds.) 2006.

Resilience engineering: Concepts and precepts. Alder- shot, UK: Ashgate.

IMO MSC/Circ.102/MEPC/Circ.392. 2002. Guidelines for Formal Safety Assessment (FSA) for use in the IMO Rule-Making Process. As amended. London: IMO.

Kongsberg Maritime. 2017. Autonomous ship project, key facts about YARA Birkeland https://www.

km.kongsberg.com/ks/web/nokbg0240.nsf/AllWeb/4 B8113B707 A50 A4FC125811D00407045?OpenDocu ment. [Accessed 2017–11–14].

(9)

Lambert, F. 2016. Understanding the fatal Tesla accident on Autopilot and the NHTSA probe. https://electrek.

co/2016/07/01/understanding-fatal-tesla-accident- autopilot-nhtsa-probe/ [Accessed 2017–12–14].

Miller, G. 1956. The Magical Number Seven, Plus or Minus Two: Some limits on our capacity for process- ing information. Psychological Review. 63 (2): 81–97.

Norman, D.A. 1988. The Psychology of Everyday Things.

New York: Basic Books.

NTSB, National Transport Safety Board. 2010. Aircraft Accident Report: Loss of Thrust in Both Engines After Encountering a Flock of Birds and Subsequent Ditch- ing on the Hudson River: US Airways Flight 1549.

https://www.ntsb.gov/investigations/AccidentReports/

Reports/AAR1003.pdf [Accessed 2018–02–09].

NTSB, National Transport Safety Board. 2017. Colli- sion Between a Car Operating With Automated Vehi- cle Control Systems and a Tractor-Semitrailer Truck Near Williston, Florida May 7, 2016. NTSB/HAR- 17/02, PB2017-102600.

Omer, H. & Alon, N. 1994. The continuity principle: A unified approach to disaster and trauma. American Journal of Community Psychology, 22: 273.

Paltrinieri, N. & Khan, F. (eds.). 2016. Dynamic Risk Anal- ysis in the Chemical and Petroleum Industry: Evolution and Interaction with Parallel Disciplines in the Perspec- tive of Industrial Application. Butterworth-Heinemann.

Pritchett, A.R. 2009. Aviation Automation: General Perspectives and Specific Guidance for the Design of Modes and Alerts. Reviews of Human Factors and Ergonomics. Vol 5, Issue 1, 2009.

Reason, J. 1990. Human error. Cambridge University Press.

Rødseth Ø.J. & Nordahl H. (eds.). 2017. Definition for autonomous merchant ships. Version 1.0, October 10. 2017. Norwegian Forum for Autonomous Ships.

http://nfas.autonomous-ship.org/resources-en.html.

[Accessed 2017–12–10].

Rødseth, Ø.J. 2017. Towards Shipping 4.0. Proceedings of Smart Ship Technology. Royal Institution of Naval Architects. ISBN 978-1-909024-63-2.

Rødseth, Ø.J., & Tjora, A. 2014. A risk based approach to the design of unmanned ship control systems.

Maritime Port Technology and Development, 2014.

SAE. 2016. SAE J3016: Taxonomy and Definitions for Terms Related to On-Road Motor Vehicle Automated Driving Systems, Revision September 2016, SAE International.

SHK, Statens Haverikommision. 1992. Near collision between MT Tarnfjord and RoPax Wellamo. Stat- ens Haverikommision, RAPPORT S 1992:1 Ärende S-06/91. Stockholm: SHK.

Utne, I.B., Sørensen, A.J., & Schjølberg, I. 2017. Risk Management of Autonomous Marine Systems and Operations. In ASME 2017 36th International Con- ference on Ocean, Offshore and Arctic Engineering.

American Society of Mechanical Engineers.

Vagia, M., Transeth, A.A. & Fjerdingen, S.A. 2016. A literature review on the levels of automation during the years. What are the different taxonomies that have been proposed? Applied ergonomics 53: 190–202.

Wagstaff, A.S. & Sigstad Lie J.A. 2011. Shift and night work and long working hours − a systematic review of safety implications. Scandinavian Journal of Work Environment and Health, 2011;37(3):173–185.

Wickens, C.D., Hollands, J.G., Banbury, S. & Parasuraman, R. 2013. Engineering Psychology and Human Perform- ance (3rd ed.). New York: Pearson.

Wiener, E.L. 1988. Cockpit automation. Human factors in aviation (A89–34431 14–54). San Diego, CA: Aca- demic Press, p. 433–461.

Wilson, K. & Korn, J.H. 2007. Attention During Lec- tures: Beyond Ten Minutes. Teaching of Psychology.

34 (2): 85–89.

(10)